Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor Impersonation
Vulnerability Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
授权机制不恰当
Vulnerability Title
Rocket.Chat 授权问题漏洞
Vulnerability Description
RocketChat rocket.chat是巴西RocketChat公司开源的一款团队协作即时通讯平台。 Rocket.Chat存在授权问题漏洞,该漏洞源于在visitors.info端点返回的响应中包含token,可能导致授权问题。以下版本受到影响:8.5.0之前版本、8.4.2之前版本、8.3.4之前版本、8.2.4之前版本、8.1.5之前版本、8.0.6之前版本、7.13.8之前版本和7.10.12之前版本。
CVSS Information
N/A
Vulnerability Type
N/A